ThreatsDay Bulletin: Defender 0-Day, SonicWall Brute-Force, 17-Year-Old Excel RCE and 15 More Stories

Supply‑chain attacks are evolving from opportunistic exploits to highly targeted operations. The Zerion breach, attributed to the North Korean UNC1069 group, demonstrates how threat actors combine AI‑driven social engineering with stolen credentials to access internal crypto wallets, bypassing user‑facing defenses entirely. At the same time, counterfeit applications like the fake Ledger Live app illustrate the persistent lure of official app stores, where malicious actors can harvest seed phrases and exfiltrate millions in cryptocurrency before platform operators react. Organizations must broaden their threat models to include insider‑style vectors and continuously monitor credential exposure across development and operations teams.

Legacy vulnerabilities continue to pose outsized risks despite the passage of time. CISA’s decision to add the 2009 Excel remote‑code‑execution flaw to its Known Exploited Vulnerabilities catalog signals that attackers still weaponize decades‑old bugs to gain footholds in high‑value environments. Coupled with the newly disclosed RedSun privilege‑escalation flaw in Microsoft Defender, which grants SYSTEM rights on patched Windows 10 and 11 systems, the episode underscores a critical gap: many enterprises lag in applying patches or lack visibility into privileged‑process exploits. Proactive vulnerability management, including rapid testing of vendor patches and layered endpoint controls, is essential to mitigate these enduring threats.

Geopolitical cyber activity adds another layer of complexity. China‑linked APT41 deployed an ELF backdoor that silently harvests cloud credentials across major providers, using SMTP port 25 as a covert C2 channel, while Russian‑affiliated groups weaponize RDP phishing and brute‑force attacks against perimeter devices like SonicWall and FortiGate. The surge in credential‑spraying attempts on edge appliances highlights the need for strong password policies, multi‑factor authentication, and continuous monitoring of authentication logs. As regulators tighten policies—evident in the EU’s upcoming anonymous age‑verification app and Google’s navigation‑spam crackdown—companies must align security practices with evolving compliance expectations to stay ahead of both state‑sponsored and criminal adversaries.